packetsifterTool : A Tool To Aid Analysts In Sifting Through A Packet Capture (Pcap) To Find Noteworthy Traffic

packetsifterTool is to perform batch processing of PCAP data to uncover potential IOCs.
Simply initialize PacketSifter with your desired integrations (Virus Total, Abuse IPDB) and pass PacketSifter a pcap and the desired switches and PacketSifter will sift through the data and generate several output files.

Note Please run AbuseIPDBInitial.sh and VTInitial.sh prior to using their corresponding switches or the integrations will not work

05/27/2021
PacketSifter has been revamped to allow a more streamlined interaction with the user. Simply download the new updated packetsifter.sh, run ./packetsifter -h and learn how to properly use the new PacketSifter!

How It Works

Simply pass PacketSifter your pcap to analyze along with your desired flags and let PacketSifter do the work for you!

Example:

root@ubuntu:~# ./packetsifter -i /tmp/testing.pcap -a -r -v

Command Line Options

OPTIONS:

• -a   enable abuseipdb lookups of IP addresses in DNS A records
• -h   print help
• -i   input file [Required]
• -r   resolve hostnames in pcap [Can result in DNS queries to attacker infrastructure]
• -v   enable VirusTotal lookup of exported SMB/HTTP objects

Requirements

tshark – https://tshark.dev/setup/install/

Output

Currently, PacketSifter generates the following pcaps:

• http.pcap – All conversations containing port 80, 8080, or 8000
• smb.pcap – All conversations categorized by tshark dissectors as NBSS, SMB, or SMB2
• dns.pcap – All conversations categorized by tshark dissectors as DNS
• ftp.pcap – All conversations categorized by tshark dissectors as FTP

Currently, PacketSifter generates the following text files:

• IOstatistics.txt – Protocol Hierarchy and Input/Output broken up in 30 second intervals (useful to find potential beaconing)
• IPstatistics.txt – Overall stats to/from endpoints over IP and individual conversations over IP
• TCPstatistics – Overall stats to/from endpoints over TCP and individual TCP conversations broken down. <> This file can contain a large amount of information. It is recommended to use less or grep for a conversation in question.
• http_info.txt – Statistical data about HTTP conversations
• hostnamesResolved.txt (optional) – Resolved hostnames observed in pcap. <> This can result in DNS queries for attacker infrastructure. Proceed with caution!!
• SMBstatistics.txt – Stats on commands ran using smb or smb2
• dnsARecords.txt – DNS A query/responses
• dnsTXTRecords.txt – DNS TXT query/responses
• errors.txt – trash file

VirusTotal Integration output text files (all optional):

• httpHashToObject.txt – Text file containing md5 hash to object pairing for reference
• httpVTResults.txt – Text file containing results of md5 hash lookup of http objects via VirusTotal API
• smbHashToObject.txt – Text file containing md5 hash to object pairing for reference
• smbVTResults.txt – Text file containing results of md5 hash lookup of smb objects via VirusTotal API

AbuseIPDB Integration output text files (optional):

• IPLookupResults.txt – Text file containing IP Geo-location + IP reputation results

Currently, PacketSifter generates the following tar.gz files:

• httpObjects.tar.gz – HTTP objects observed in pcap. <> There could be a lot of HTTP objects and you can potentially extract malicious http objects depending on the pcap. Use with caution!!
• smbObjects.tar.gz – SMB objects observed in pcap. There could be a lot of SMB objects and you can potentially extract malicious SMB objects depending on the pcap. Use with caution!!

VirusTotal Integration

PacketSifter can now perform hash lookups via VirusTotal API of exported objects found via SMB/HTTP.

Steps to configure PacketSifter with VirusTotal integration:

1. Ensure you have jq (https://stedolan.github.io/jq/download/) installed.

root@ubuntu:~# apt-get install jq

• Ensure you have curl installed.

root@ubuntu:~# apt-get install curl

• Download the new version of packetsifter.sh and the new script VTInitial.sh
• Run VTInitial.sh in the same folder as packetsifter.sh and supply your 64 character alphanumeric VirusTotal API Key when prompted
• For instructions on how to obtain a free VirusTotal API Key https://developers.virustotal.com/reference

Successful output of VTInitial.sh is shown below:

 Run PacketSifter with the -v flag to enable VirusTotal lookups of exported HTTP and SMB objects.

Successful output of VirusTotal integration and subsequent generated httpVTResults.txt / smbVTResults.txt shown below:

AbuseIPDB Integration

PacketSifter can perform IP Geo-location + IP reputation lookups of IP addresses returned in DNS A Records.

Steps to configure PacketSifter with AbuseIPDB integration:

• Ensure you have jq (https://stedolan.github.io/jq/download/) installed.

root@ubuntu:~# apt-get install jq

• Ensure you have curl installed.

root@ubuntu:~# apt-get install curl

• Download the new version of packetsifter.sh and the new script AbuseIPDBInitial.sh
• Run AbuseIPDBInitial.sh in the same folder as packetsifter.sh and supply your 80 character alphanumeric AbuseIPDB API Key when prompted.
• For instructions on how to obtain a free AbuseIPDB API Key https://www.abuseipdb.com/register

**AbuseIPDB free API keys have a limit of 1000 lookups a day**
Successful output of AbuseIPDBInitial.sh is shown below:

• Run PacketSifter with the -a flag to enable lookups on DNS A records via AbuseIPDB.

Successful output of AbuseIPDB integration and subsequent generated IPLookupResults.txt shown below:
**Confidence Score is on a 0-100 percent confidence scale**